[LARTC] HTB shaping different subnets...

[LARTC] HTB shaping different subnets...

[Rokas Zakarevicius]

Hi,

My network configuration is:

ADSL modem-----ppp0[LINUX box]eth0 (192.168.1.254)---HUB---LAN

Slackware 8.1 LINUX, 2.4.20 kernel with QoS directives compiled in 
the kernel.

I use HTB to shape download and upload traffic. I use HTB shape on
eth0 interface for download traffic, and shape on ppp0 interface for
upload traffic.

I want to connect some other computers to the LAN, but I want to
give them IP adresses from 192.168.2.1-254 range that these new
PC's couldn't "see" old PC's in the LAN. But I want these new PC's
to be able to get to the Internet through my LINUX box. I think I
have to use IP aliasing on my LINUX box's eth0 interface to do this.
Am I right, or is it any other mean to do it ? (I don't want to 
install a new ethernet interface for the new subnet to my LINUX box).

But if I used IP aliasing on eth0 interface, would I be able to
shape download traffic, because I have to shape eth0 interface for
download traffic ??? Please give me some comments about this
question. 

Thank you,

      Rokas Zakarevicius
 


<--------------------==================-------------------->
          DELFI Webmail paðto sistema [ http://webmail.delfi.lt/ ]
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Re: [LARTC] HTB shaping different subnets...

[Albert Manyà]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I've done that with ip aliasing without no problems.

Rokas Zakarevicius wrote:

| Hi,
|
| My network configuration is:
|
| ADSL modem-----ppp0[LINUX box]eth0 (192.168.1.254)---HUB---LAN
|
| Slackware 8.1 LINUX, 2.4.20 kernel with QoS directives compiled in
| the kernel.
|
| I use HTB to shape download and upload traffic. I use HTB shape on
| eth0 interface for download traffic, and shape on ppp0 interface for
| upload traffic.
|
| I want to connect some other computers to the LAN, but I want to
| give them IP adresses from 192.168.2.1-254 range that these new
| PC's couldn't "see" old PC's in the LAN. But I want these new PC's
| to be able to get to the Internet through my LINUX box. I think I
| have to use IP aliasing on my LINUX box's eth0 interface to do this.
| Am I right, or is it any other mean to do it ? (I don't want to
| install a new ethernet interface for the new subnet to my LINUX box).
|
| But if I used IP aliasing on eth0 interface, would I be able to
| shape download traffic, because I have to shape eth0 interface for
| download traffic ??? Please give me some comments about this
| question.
|
| Thank you,
|
|       Rokas Zakarevicius
|
|
|
|
<--------------------==================-------------------->
|           DELFI Webmail paðto sistema [ http://webmail.delfi.lt/ ]
| _______________________________________________
| LARTC mailing list / LARTC@mailman.ds9a.nl
| http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
|

- --
Albert Manyà i Pau
hp:	  http://www.awacat.com/~albert
email:    albertmp@ctv.es
jabberid: elmoro@akl.lt
pgp id:	  0xED844226
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQE/L7kLfzJyEe2EQiYRAsEDAJ9rr1AmvFh06DTr0sY+hmfzn5/Y/QCg1tJD
4vOmJqdzWfDaQ8ElYV+dc4o=8ppC
-----END PGP SIGNATURE-----

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Re: [LARTC] HTB shaping different subnets...

[Martin A. Brown]

Rokas,

 : ADSL modem-----ppp0[LINUX box]eth0 (192.168.1.254)---HUB---LAN

Got it.

 : I use HTB to shape download and upload traffic. I use HTB shape on eth0
 : interface for download traffic, and shape on ppp0 interface for upload
 : traffic.

Perfect.

 : I want to connect some other computers to the LAN, but I want to give
 : them IP adresses from 192.168.2.1-254 range that these new PC's
 : couldn't "see" old PC's in the LAN.

If you are indeed using a hub, then each of the machines on the internal
network will be able to see the others, and all of the traffic, but only
under two potential conditions:

  - a user puts the NIC into promiscuous mode
  - a user adds a route to the other IP network via the NIC

But, these are security considerations, and probably not a problem for
you.

 : But I want these new PC's to be able to get to the Internet through my
 : LINUX box. I think I have to use IP aliasing on my LINUX box's eth0
 : interface to do this.

Yes, you can do this.  There'd be no problem here.

 : Am I right, or is it any other mean to do it ? (I don't want to install
 : a new ethernet interface for the new subnet to my LINUX box).

This will bring up a new address on eth0, cause the kernel to respond for
ARP, and add a route to the 192.168.2.0/24 network:

  ip address add 192.168.2.254/24 dev eth0

I'd recommend, additionally that you block all traffic to/from each of the
192.168.x.0/24 networks:

  iptables -A FORWARD -s 192.168.2.0/24 -d 192.168.1.0/24 -j DROP
  iptables -A FORWARD -s 192.168.1.0/24 -d 192.168.2.0/24 -j DROP

Note, that still doesn't prevent users on each segment from potentially
seeing each other (see above)--it just means that the IP networks will not
be able to forward packets through your linux box to each other.

 : But if I used IP aliasing on eth0 interface, would I be able to shape
 : download traffic, because I have to shape eth0 interface for download
 : traffic ??? Please give me some comments about this question.

You may need to alter your traffic control configuration to include
references to the new IP range, but there is no problem with this
solution.

-Martin

-- 
Martin A. Brown --- SecurePipe, Inc. --- mabrown@securepipe.com

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Re: [LARTC] HTB shaping different subnets...

[Rokas]

Hi Martin,

That you very much for your help.
I entered:            ip address add 192.168.2.254/24 dev eth0
and also I added IP masquerading for this address range.
Everything now is working very well, just as I wanted.

Of course, If a user changed his IP address from 192.168.2.* range
into 192.168.1.*, he would be able to "see" the rest of the network
neighbourhood. But I don't think this would be a problem, because
most of LAN users are just newbie PC users... :)

Thank you,

      Rokas Zakarevicius

> If you are indeed using a hub, then each of the machines on the internal
> network will be able to see the others, and all of the traffic, but only
> under two potential conditions:
>
>   - a user puts the NIC into promiscuous mode
>   - a user adds a route to the other IP network via the NIC
>
> But, these are security considerations, and probably not a problem for
> you.
>
>
> This will bring up a new address on eth0, cause the kernel to respond for
> ARP, and add a route to the 192.168.2.0/24 network:
>
>   ip address add 192.168.2.254/24 dev eth0
>
> I'd recommend, additionally that you block all traffic to/from each of the
> 192.168.x.0/24 networks:
>
>   iptables -A FORWARD -s 192.168.2.0/24 -d 192.168.1.0/24 -j DROP
>   iptables -A FORWARD -s 192.168.1.0/24 -d 192.168.2.0/24 -j DROP
>
> Note, that still doesn't prevent users on each segment from potentially
> seeing each other (see above)--it just means that the IP networks will not
> be able to forward packets through your linux box to each other.
>
> You may need to alter your traffic control configuration to include
> references to the new IP range, but there is no problem with this
> solution.
>
> -Martin

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/